How Alipay Uses AI to Revolutionize Application Security Development Lifecycle

Overview

Since 2016, Alipay's security team has built the Alipay‑SDL 1.0 full‑stack application security development lifecycle, aligning with industry security trends and regulatory compliance while supporting rapid business growth.

With the "double‑flywheel" strategy, Alipay expands digital payment services, prompting the need to raise security standards alongside accelerated development. AI, especially large‑model technology, offers a path to upgrade security tools and operations.

Current SDL Challenges

The existing SDL process involves security engineers using tools to assess risks during requirement analysis, design, coding, testing, and deployment.

Key challenges include rising business complexity, evolving AI‑driven threats, and increasing workload for security engineers.

Understanding higher business costs across diverse app scenarios.

Complex, evolving security risks from new AI models.

Security engineers facing workload spikes due to faster development cycles.

Systematic Thinking for Intelligent Upgrade

Alipay introduces AI at every SDL stage, forming a new security paradigm that treats SDL as intellectual labor involving engineers, tools, and applications.

From the perspective of the labor object, AI enhances automatic understanding and representation of business logic.

From the tool perspective, AI strengthens the computational power of security tools, improving detection of complex logic vulnerabilities.

From the engineer perspective, AI enables cross‑domain risk identification, reducing reliance on single‑risk specialists.

AI4SDL Practice

(1) Document Intelligence and Risk Element Extraction

Unstructured documents (requirements, designs, APIs) are processed by a multimodal large language model (MLLM) that performs dynamic structure‑aware segmentation, creating high‑quality security knowledge corpora.

GraphRAG‑based Knowledge Retrieval : A heterogeneous graph captures entities and relations, with a Personalized PageRank algorithm prioritizing critical security nodes.

LLM‑Driven Knowledge Evaluation : Synthetic QA benchmarks and a four‑dimensional metric (accuracy, completeness, clarity, richness) improve knowledge recall by over 20%.

(2) Code Risk Reasoning and API Semantic Annotation

Rule‑Driven Risk Reasoning (RAC) : A knowledge graph with billions of nodes standardizes code, API, and data flow representations for traceable risk inference.

Semantic‑Enhanced Code Analysis : Large models annotate API semantics, achieving >70% accuracy on HarmonyOS ArkTS SDK annotations.

Multi‑Agent Collaborative Framework (RAC Agent) : Specialized agents handle data‑flow analysis, permission checks, and sensitive operation detection, coordinating via intent understanding and strategy generation.

(3) Full‑Link Intelligent Operations

SDLHUB Change‑Perception Center : Integrates real‑time change detection with LLM‑assisted risk ranking.

End‑to‑End Visual Analysis :

Business behavior chain visualized as process graphs.

System call chain built from distributed tracing data.

Data flow lineage tracks sensitive data propagation.

SDLCopilot Intelligent Security Architecture : A four‑layer design (application interaction, agent service, agent support, infrastructure) combines LLM semantics, vector databases, and modular toolchains for adaptive security operations.

Future Outlook

Achieving near‑perfect (≥99%) AI‑driven vulnerability detection requires further reliability improvements. Ant Group’s HOP solution introduces programmatic SOPs and verification to mitigate hallucinations, moving toward fully autonomous security assurance.

Conclusion

Alipay’s AI‑driven SDL framework dramatically improves security efficiency and developer experience, setting a benchmark for the industry.